HIGH Published 2026-05-06

xfrm Policy UAF

CVE-2026-43091

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI6.2MEDIUM

01Description

In the Linux kernel, the following vulnerability has been resolved: xfrm: Wait for RCU readers during policy netns exit xfrm_policy_fini() frees the policy_bydst hash tables after flushing the policy work items and deleting all policies, but it does not wait for concurrent RCU readers to leave their read-side critical sections first. The policy_bydst tables are published via rcu_assign_pointer() and are looked up through rcu_dereference_check(), so netns teardown must also wait for an RCU grace period before freeing the table memory. Fix this by adding synchronize_rcu() before freeing the policy hash tables.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A use-after-free vulnerability in XFRM policy hash table cleanup allows unprivileged local attackers to corrupt kernel memory during network namespace teardown. On default kernels, user namespaces grant unprivileged users the ability to create and destroy network namespaces, reaching the vulnerable xfrm_policy_fini() path without requiring initial root privileges. Systems using IPsec/VPN functionality are at risk of information disclosure, kernel memory corruption, and kernel crashes.

Affectednet/xfrm/xfrm_policy.c (XFRM policy subsystem)

Vulnerability analysis

The vulnerability occurs in xfrm_policy_fini() during network namespace teardown, where policy_bydst hash tables are freed without waiting for concurrent RCU readers to complete. Since commit e1e551bc5630 made these tables RCU-protected with rcu_assign_pointer() publication and rcu_dereference_check() access, the teardown must respect RCU grace periods. The missing synchronize_rcu() allows an RCU reader to access freed hash table memory, resulting in a use-after-free. An unprivileged local attacker can trigger this via user namespace creation followed by network namespace teardown. Concurrent XFRM policy lookups—triggered by IPsec packet processing—create the race window. Exploitation is complex due to timing requirements, but successful access to the freed memory can leak kernel heap contents or cause arbitrary kernel memory corruption and panic.

03Fix Versions

Branch	Fixed in	Patch commit
6.12	6.12.83	`438b1f668ad5`
6.18	6.18.24	`3733fce2871c`
6.19	6.19.14	`33a3149dd81a`
6.6	6.6.136	`b66920a3348c`
mainline	7.0	`069daad4f2ae`